I was emailed by Aaron last night to make me aware of a new paper called "Search Engines Used to Attack Databases" (A pdf is available on this page) on the recent new technique of using search engines to attack databases. This is a technique I have talked about quite a bit lately, the so called google hacking technique. The idea is that a hacker looks for insecure databases and web application fronted databases then specifically searches for those sites that have known vulnerabilities or configuration issues or even Oracle web based tools such as iSQL*Plus. This means that the hacker can do his information and reconnaissance phase almost completely without accessing the sites that he going to attack. This makes it very difficult for a hacker to leave a trail before the actual attack. The attackers will also tend to cherry pick the easiest sites from their search engine results pages.

All of this means that DBA's and site security managers need to take database security seriously and also learn the techniques of google hacking and apply them against their own Oracle databases so that they do not fall prey to one of the newest database (and in general) hacking techniques.

Aaron’s paper is excellent and covers the subject very well. Aaron starts off by talking about database security in general and the sad fact that a lot of companies do not protect the data at source but instead use perimeter security techniques such as firewalls. he then talks about search engine hacking and moves on to talk in detail about how to find Oracle databases exposed to the Internet. Aaron goes through some examples of how to use google to search for the web based version of SQL*Plus, iSQL*Plus showing some sample results from a google search and also a Yahoo! search.

He then details how iSQL*Plus can be used to hack a 9.2.0.5 database patched for alert #68 by using a common default username and password DBSNMP/DBSNMP. Aaron gives a link to the CIRT Oracle default password list but I should point out that the Oracle default password list is much larger than the CIRT list and my list contains 600 default usernames and passwords. I also have an Oracle default password check script on my site. Aaron then goes on to show how a list of usernames and password hashes can be obtained for offline cracking.

Aaron then goes on to talk about looking for web pages that are vulnerable to SQL Injection attempts (I have written a three part paper on SQL Injection in Oracle a while ago). Aaron shows some results and then goes on to show an actual attack. He then talks about SQL Buffer overflows and JDBC as well as error strings. The paper moves on to talk about directory listings being revealed and closes with thoughts on how to militate against the issue.

This is a superb paper introducing the subject of google hacking and search engine hacking in general to the Oracle community and in particular to those interested in securing their data. All DBA's owe it to themselves to read this paper and learn about how simply exposing files to the Internet can have disastrous results. The paper "Search Engines Used to Attack Databases is here".

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.